Skip to content
Snippets Groups Projects
Select Git revision
  • renovate/quay.io-shivering-isles-postfix-3.x
  • main default protected
  • renovate/redis-21.x
  • renovate/docker.io-bitnami-kubectl-1.x
  • renovate/tigera-operator-3.x
  • renovate/cloudflare-5.x
  • renovate/docker.io-library-nextcloud-31.x
  • renovate/kubernetes-go
  • ci/tekton-gobuild
  • feat/tekton
  • feat/keycloak-operator
  • fix/immich-1.125
  • feat/s3dav-proxy
  • feat/runtime-policy
  • feat/arm64
  • feat/mail-oauth2
  • refactor/mastodon
  • ci/add-k8s-cluster
  • ci/test-helm-docs
  • ci/earthy-images
  • v25.06
  • v25.05
  • v25.04
  • v25.03
  • v25.02
  • v25.01
  • v24.12
  • v24.11
  • v24.10
  • v24.09
  • v24.08
  • v24.07
  • v24.06
  • v24.05
  • v24.04
  • v24.03
  • v24.02
  • v24.01
  • v23.12
  • v23.11
40 results
Compare
Renovate Bot's avatar
chore(deps): update...
Botaniker (Bot) authored 
chore(deps): update ghcr.io/tektoncd/triggers/controller-f656ca31de179ab913fa76abc255c315 docker tag to v0.32.0
95f6a59a
History
Renovate Bot's avatar 95f6a59a
History
Name Last commit Last update
.chglog
.vale
apps
bin
bootstrap
charts
clusters/k8s01
docs
images
infrastructure
scripts
shared
talos
tekton
terraform
views
.gitignore
.gitlab-ci.yml
.gitleaksignore
.sops.yaml
.vale.ini
Earthfile
README.md
renovate.json
README.md

Shivering-Isles GitOps Infrastructure

This repository has become the centre of Shivering-Isles Infrastructure. It homes basically all deployments of software, various custom container images, various self-maintained helm charts and more.

Usage

For SI-GitLab this would look like this:

export GITLAB_TOKEN=<project access token able to write the API and repository>
flux bootstrap gitlab \
  --hostname=git.shivering-isles.com \
  --ssh-hostname=git.shivering-isles.com:2222 \
  --ssh-key-algorithm ed25519 \
  --owner=<your user / team> \
  --repository=<your repository name> \
  --path=clusters/<your cluster name>

Ideas & ToDo's

This toolchain is still under development. Before it will be used in production there are still some things left to do:

  • Buy hardware for the project.
  • Provide CLI container that contains all tools.
  • Automate overlay network deployment (calico)
  • Use encrypted overlay network (calico+wireguard)
  • Automate cluster monitoring deployment (kube-prometheus)
  • Automate ingress-controller deployment (ingress-nginx)
  • Automate policy enforcement (kyverno) deployment
  • Encrypt root filesystems for all nodes (LUKS + clevis)
  • Enforce SELinux on the deployed machines
  • Automate system upgrades using Kubernetes (system-upgrade-controller)
  • Automate system configuration using Kubernetes (system-upgrade-controller)
  • Provide an fully encrypted (handled on host level) storage class (longhorn)
  • Deploy cert-manager
  • Deploy credentials for cert-manager
  • Automate ingress-controller default certificate deployment
  • Add encrypted deployment instructions (SOPS + fluxcd)
  • Integrate Renovatebot with this repository to manage updates.
  • Automate Kubernetes upgrades
  • Automate ingress-controller configuration for proxy-protocol
  • Migrate apps to GitOps and Kubernetes
  • Deploy kubelet with proper certificates
  • Centralised logging (using loki/greylog/ELK/…)
  • Add secure runtime class (gVisor/kata-container/…) for exposed containers
  • Move to immutable base-system
  • Set Priority classes for workloads (on namespace level it's done, but helm releases still need adjustment)
  • Harden egress NetworkPolicies keycloak, forecastle, matrix
  • Backup essential volumes using mc and client-side encryption and Object Locks